Jun 24, 2009

Forcing Demotion of a Domain Controller

The other day I was attempting to install a new antivirus software on one of my company’s remote domain controllers. Everything was going fine except the antivirus couldn’t create the user account it needs to perform updates.

I checked the knowledge base for my antivirus company (It’s Sophos if you must know) and they suggested trying to manually create the account in Active Directory if it is on a Domain Controller. When I opened up Active Directory Users and Computers, it defaulted to the next closest Domain Controller. When I tried to select the server I was on, I got an error message.

Apparently, one of our Systems administrators was doing some meta data cleanup a few weeks ago to try to fix some replication errors, and may have accidentally deleted this particular server’s roll as a Domain Controller. Ouch!

It was still a part of the domain, so I tried to simply demote it and re-promote it again. This is where I ran into an issue. When I tried to demote it I got the following error:

Error: An error occurred:
Win32 Error 8419(0x20e3): The DSA object could not be found.

win2k3 I tried a few things with DNS, but nothing worked. I finally had to break down and force the demotion of the server. If you have never done it, you run the following command:

dcpromo /forceremoval

This runs dcpromo and ignores all errors. Once complete, the server will reboot and will no longer be a part of the domain.

When that was complete, I deleted the server object from Active Directory Users and Computers, and forced replication to the other Domain Controllers. I then ran the ntdsutils command line utility to make sure there wasn’t any stale metadata left over.

After that I tried to rejoin the server to the domain. I wasn’t able to, apparently the SID data was still in AD. To correct that I ran newsid from Sysinternals to change the SID and rebooted it. When it came back up, I rejoined it to the domain, and ran dcpromo successfully.

I’ve been keeping my eye on it, and everything seems to be replicating without issue. Hurray!

This just goes to show you that when trouble shooting the underbelly (AKA the Schema) of Active Directory, be careful, and pay close attention to what you are doing. One simple mistake can cause big problems.

Has anything like this happened to you? What caused it? How did you fix it? Did you do something similar? Let me know in the comments.

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam